As of very early Wednesday morning, I don’t hear any loud screams of pain from the May Patch Tuesday bumper crop of patches. There’s still much we don’t know about the “WannaCry-like” security hole in pre-Win8 versions of Windows — more about that in a moment — but all indications at this point lead me to believe that it’s smarter to patch now and figure out how to fix any damage later.
The cause is a bug in Microsoft’s Remote Desktop Services that can allow an attacker to take over your earlier-generation Windows PC if it’s connected to the internet. Not all machines are vulnerable. But the number of exposed machines — the size of the honey jar — makes it likely that somebody will come up with a worm shortly.
In short, if you have a PC that runs any of these:
- Windows XP (including Embedded)
- Windows Server 2003, Server 2003 Datacenter Edition
- Windows 7
- Windows Server 2008, Server 2008 R2
You need to get patched now. Tell your friends.
Source of the security hole
You can read about the nature of the security hole in the original announcement from Simon Pope, the Microsoft Security Response Center director of incident response. There’s a detailed analysis about what little we know from Dan Goodin at Ars Technica. Most of the reports online rehash the same story, but it’s worth noting that Microsoft credits discovery of the vulnerability to the National Cyber Security Center, which is the “public-facing arm of the UK’s spy agency, GCHQ.” Shades of WannaCry, which originated with the NSA.
The problem, as always, doesn’t lie with the good intentions of the patchers. The devil lies in the implementation details. As of this moment, it looks like the patches aren’t causing more problems than they fix.
That’s particularly remarkable because in the case of the Win7 cluster patches, they include a fix for a completely different security hole, the so-called “Microarchitectural Data Sampling (MDS)” vulnerability, which has much in common with Meltdown and Spectre. (Catalin Cimpanu has the details on ZDNet with a good short synopsis by @AceOfAces on AskWoody.) You may recall that patching Meltdown and Spectre has provided much wailing and gnashing of teeth for thousands of would-be patchers, yet there’s never been an infection spotted in the wild.
With Microsoft’s patch-bundling propensities, you can’t fix one without dragging in the other. For the Windows 7 and Windows Server patches, you can’t fix the immediate problem — this wormable RDS security hole — without also installing a fix for a problem that won’t appear any time soon and, indeed, may not even exist in the real world (see Andy Greenberg’s article in Wired).
What we don’t know
I think it’s fair to say that we don’t know much at all about the “wormable” RDS vulnerability or the fix. For example:
- Win XP and Win7 are patched, but what happened to Vista? (Thx, @Cybertooth.) Did Microsoft forget to patch it, is it being swept under the rug — or is it immune? An anonymous poster on AskWoody says that it has to be affected because Server 2008 is affected — certainly logical — but it’s an open question if the Server 2008 patch will work on Vista.
- Can you block your machine with something less drastic than a largely untested security patch? Turn off RDP? Block port 3389, which is usually used for RDP? (Microsoft says that you can enable NLA and force authentication, but are less-invasive — and much more readily understood — alternatives available?)
More interesting — if Window XP gets fixed, what can we infer about the long-term viability of Windows 7? Windows XP was taken off life support five years ago. If a future bug is bad enough, will Microsoft fix Win7?
What you should do
Before you make any changes, run a full system image backup. With less than 24 hours of experience with these patches under our belts, making a full backup is even more important than usual.
If you’re running Windows XP or Server 2003 (more accurately, Windows XP SP3, Windows Server 2003 SP2, Windows XP Professional x64 Edition SP2, Windows XP Embedded SP3, Windows Embedded POSReady 2009, and Windows Embedded Standard 2009 — which, yes, probably includes your aging cash register), you need to manually download and install the patch. The patch you want is called KB 4500331.
If you’re running Windows 7, Server 2008 SP2, or Server 2008 R2, you should install the May Monthly Rollup. If you have an antivirus product from Sophos, Avira, Avast, AVG or McAfee, make sure it’s up to date. Then follow AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked. DON’T CHECK any unchecked patches.
Those of you who insist on manually installing the Security-only patches should proceed as usual.
If you’re still running Windows Vista, bless yer heart; drop by the AskWoody Lounge, and we’ll step you through it.
Thx T, PKCano, abbodi86, Cavalary, Cybertooth, AceOfAces, many others
Stay up on the latest on the AskWoody Lounge.